Ubuntu
axel package

axel crashes whith long urls

Bug #159112 reported by Vicente Ruiz
254
Affects Status Importance Assigned to Milestone
axel (Debian)
Fix Released
Unknown
axel (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: axel

When axel with long urls is executed, it crashes.

$ axel "http://vp.video.google.com/videodownload?version=0&secureurl=twAAAA3Qhb_yZfxT_xXwqOm35NKPlYfprC-HzYdL9d5x7Wv71_yCE_5qhHKhMQS-ldm-ZgIHaVNFEeQ6x_hTnkcpCXyhs2lpS6NgsGdz_e4KegjJXbQ9C5kIUn7I9QvmruJ1NNo8gG9CpSD1hIwGMcvEdidGAnyC4FA3kSzE_bNRU_NXsTtLsDFOjZvV4BMi_7jSmLNaWLUEIvEx8GYAPIeRFKnTBOEQV75ihbk0I88xcJdB2xdpOU3GnYP7LYBd-7VTRw&sigh=Fb8RlxyOr6sEmwD4IA4y_S88D5I&begin=0&len=2800520&docid=-2084919753106562775"
Initializing download: http://vp.video.google.com/videodownload?version=0&secureurl=twAAAA3Qhb_yZfxT_xXwqOm35NKPlYfprC-HzYdL9d5x7Wv71_yCE_5qhHKhMQS-ldm-ZgIHaVNFEeQ6x_hTnkcpCXyhs2lpS6NgsGdz_e4KegjJXbQ9C5kIUn7I9QvmruJ1NNo8gG9CpSD1hIwGMcvEdidGAnyC4FA3kSzE_bNRU_NXsTtLsDFOjZvV4BMi_7jSmLNaWLUEIvEx8GYAPIeRFKnTBOEQV75ihbk0I88xcJdB2xdpOU3GnYP7LYBd-7VTRw&sigh=Fb8RlxyOr6sEmwD4IA4y_S88D5I&begin=0&len=2800520&docid=-2084919753106562775
*** glibc detected *** axel: free(): invalid next size (normal): 0x08060fb0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e21d75]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e25810]
/lib/tls/i686/cmov/libc.so.6(fclose+0x134)[0xb7e10704]
/lib/tls/i686/cmov/libnss_files.so.2(_nss_files_getservbyname_r+0x1b2)[0xb7c7cd22]
/lib/tls/i686/cmov/libc.so.6(getservbyname_r+0xed)[0xb7ea444d]
/lib/tls/i686/cmov/libc.so.6(getservbyname+0x7e)[0xb7ea427e]
axel[0x804b9cf]
axel[0x8049557]
axel[0x804f3a3]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7dce050]
axel[0x8049091]
======= Memory map: ========
08048000-08051000 r-xp 00000000 08:05 849077 /usr/bin/axel
08051000-08052000 rw-p 00008000 08:05 849077 /usr/bin/axel
08052000-08073000 rw-p 08052000 00:00 0 [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7c6f000-b7c79000 r-xp 00000000 08:05 456084 /lib/libgcc_s.so.1
b7c79000-b7c7a000 rw-p 0000a000 08:05 456084 /lib/libgcc_s.so.1
b7c7a000-b7c83000 r-xp 00000000 08:05 456354 /lib/tls/i686/cmov/libnss_files-2.6.1.so
b7c83000-b7c85000 rw-p 00008000 08:05 456354 /lib/tls/i686/cmov/libnss_files-2.6.1.so
b7c91000-b7c92000 rw-p b7c91000 00:00 0
b7c92000-b7cd1000 r--p 00000000 08:05 33830 /usr/lib/locale/es_ES.utf8/LC_CTYPE
b7cd1000-b7cd2000 r--p 00000000 08:05 33887 /usr/lib/locale/es_ES.utf8/LC_NUMERIC
b7cd2000-b7cd3000 r--p 00000000 08:05 33627 /usr/lib/locale/es_ES.utf8/LC_TIME
b7cd3000-b7db3000 r--p 00000000 08:05 33673 /usr/lib/locale/es_ES.utf8/LC_COLLATE
b7db3000-b7db4000 r--p 00000000 08:05 33621 /usr/lib/locale/es_ES.utf8/LC_MONETARY
b7db4000-b7db5000 r--p 00000000 08:05 33683 /usr/lib/locale/es_ES.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7db5000-b7db6000 r--p 00000000 08:05 33836 /usr/lib/locale/es_ES.utf8/LC_PAPER
b7db6000-b7db8000 rw-p b7db6000 00:00 0
b7db8000-b7efc000 r-xp 00000000 08:05 456345 /lib/tls/i686/cmov/libc-2.6.1.so
b7efc000-b7efd000 r--p 00143000 08:05 456345 /lib/tls/i686/cmov/libc-2.6.1.so
b7efd000-b7eff000 rw-p 00144000 08:05 456345 /lib/tls/i686/cmov/libc-2.6.1.so
b7eff000-b7f02000 rw-p b7eff000 00:00 0
b7f02000-b7f16000 r-xp 00000000 08:05 456359 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7f16000-b7f18000 rw-p 00013000 08:05 456359 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7f18000-b7f1a000 rw-p b7f18000 00:00 0
b7f1a000-b7f1b000 r--p 00000000 08:05 33678 /usr/lib/locale/es_ES.utf8/LC_NAME
b7f1b000-b7f1c000 r--p 00000000 08:05 33620 /usr/lib/locale/es_ES.utf8/LC_ADDRESS
b7f1c000-b7f1d000 r--p 00000000 08:05 33625 /usr/lib/locale/es_ES.utf8/LC_TELEPHONE
b7f1d000-b7f1e000 r--p 00000000 08:05 33832 /usr/lib/locale/es_ES.utf8/LC_MEASUREMENT
b7f1e000-b7f25000 r--s 00000000 08:05 852764 /usr/lib/gconv/gconv-modules.cache
b7f25000-b7f26000 r--p 00000000 08:05 33623 /usr/lib/locale/es_ES.utf8/LC_IDENTIFICATION
b7f26000-b7f28000 rw-p b7f26000 00:00 0
b7f28000-b7f42000 r-xp 00000000 08:05 458895 /lib/ld-2.6.1.so
b7f42000-b7f44000 rw-p 00019000 08:05 458895 /lib/ld-2.6.1.so
bf88b000-bf8a0000 rw-p bf88b000 00:00 0 [stack]
ffffe000-fffff000 r-xp 00000000 00:00 0 [vdso]
Cancelado (core dumped)

ProblemType: Bug
Architecture: i386
Date: Wed Oct 31 21:17:24 2007
Dependencies:
 libgcc1 1:4.2.2-3ubuntu3
 gcc-4.2-base 4.2.2-3ubuntu3
 libc6 2.6.1-6ubuntu2
DistroRelease: Ubuntu 8.04
Package: axel 1.0b-1.1ubuntu1
PackageArchitecture: i386
SourcePackage: axel
Uname: Linux SamsungX05 2.6.22-14-generic #1 SMP Sun Oct 14 23:05:12 GMT 2007 i686 GNU/Linux

See original description
Tags: apport-bug
Revision history for this message
In , Y Giridhar Appaji Nag (appaji) wrote :

tags 196431 +confirmed
thanks

Axel currently cannot handle strings of length over 256 (MAX_STRING in
axel.h) and should exit gracefully. Fix forthcoming.

Giridhar

On 03/06/06 18:34 -0400, Joseph Barillari said ...
>
> Note that that ultra-long URL is valid. If the URL is invalid (e.g., a

--
Y Giridhar Appaji Nag | http://www.appaji.net/

Revision history for this message
Vicente Ruiz (uve) wrote :
Download full text (4.4 KiB)

Binary package hint: axel

When axel with long urls is executed, it crashes.

$ axel "http://vp.video.google.com/videodownload?version=0&secureurl=twAAAA3Qhb_yZfxT_xXwqOm35NKPlYfprC-HzYdL9d5x7Wv71_yCE_5qhHKhMQS-ldm-ZgIHaVNFEeQ6x_hTnkcpCXyhs2lpS6NgsGdz_e4KegjJXbQ9C5kIUn7I9QvmruJ1NNo8gG9CpSD1hIwGMcvEdidGAnyC4FA3kSzE_bNRU_NXsTtLsDFOjZvV4BMi_7jSmLNaWLUEIvEx8GYAPIeRFKnTBOEQV75ihbk0I88xcJdB2xdpOU3GnYP7LYBd-7VTRw&sigh=Fb8RlxyOr6sEmwD4IA4y_S88D5I&begin=0&len=2800520&docid=-2084919753106562775"
Initializing download: http://vp.video.google.com/videodownload?version=0&secureurl=twAAAA3Qhb_yZfxT_xXwqOm35NKPlYfprC-HzYdL9d5x7Wv71_yCE_5qhHKhMQS-ldm-ZgIHaVNFEeQ6x_hTnkcpCXyhs2lpS6NgsGdz_e4KegjJXbQ9C5kIUn7I9QvmruJ1NNo8gG9CpSD1hIwGMcvEdidGAnyC4FA3kSzE_bNRU_NXsTtLsDFOjZvV4BMi_7jSmLNaWLUEIvEx8GYAPIeRFKnTBOEQV75ihbk0I88xcJdB2xdpOU3GnYP7LYBd-7VTRw&sigh=Fb8RlxyOr6sEmwD4IA4y_S88D5I&begin=0&len=2800520&docid=-2084919753106562775
*** glibc detected *** axel: free(): invalid next size (normal): 0x08060fb0 ***
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6[0xb7e21d75]
/lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7e25810]
/lib/tls/i686/cmov/libc.so.6(fclose+0x134)[0xb7e10704]
/lib/tls/i686/cmov/libnss_files.so.2(_nss_files_getservbyname_r+0x1b2)[0xb7c7cd22]
/lib/tls/i686/cmov/libc.so.6(getservbyname_r+0xed)[0xb7ea444d]
/lib/tls/i686/cmov/libc.so.6(getservbyname+0x7e)[0xb7ea427e]
axel[0x804b9cf]
axel[0x8049557]
axel[0x804f3a3]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0)[0xb7dce050]
axel[0x8049091]
======= Memory map: ========
08048000-08051000 r-xp 00000000 08:05 849077 /usr/bin/axel
08051000-08052000 rw-p 00008000 08:05 849077 /usr/bin/axel
08052000-08073000 rw-p 08052000 00:00 0 [heap]
b7b00000-b7b21000 rw-p b7b00000 00:00 0
b7b21000-b7c00000 ---p b7b21000 00:00 0
b7c6f000-b7c79000 r-xp 00000000 08:05 456084 /lib/libgcc_s.so.1
b7c79000-b7c7a000 rw-p 0000a000 08:05 456084 /lib/libgcc_s.so.1
b7c7a000-b7c83000 r-xp 00000000 08:05 456354 /lib/tls/i686/cmov/libnss_files-2.6.1.so
b7c83000-b7c85000 rw-p 00008000 08:05 456354 /lib/tls/i686/cmov/libnss_files-2.6.1.so
b7c91000-b7c92000 rw-p b7c91000 00:00 0
b7c92000-b7cd1000 r--p 00000000 08:05 33830 /usr/lib/locale/es_ES.utf8/LC_CTYPE
b7cd1000-b7cd2000 r--p 00000000 08:05 33887 /usr/lib/locale/es_ES.utf8/LC_NUMERIC
b7cd2000-b7cd3000 r--p 00000000 08:05 33627 /usr/lib/locale/es_ES.utf8/LC_TIME
b7cd3000-b7db3000 r--p 00000000 08:05 33673 /usr/lib/locale/es_ES.utf8/LC_COLLATE
b7db3000-b7db4000 r--p 00000000 08:05 33621 /usr/lib/locale/es_ES.utf8/LC_MONETARY
b7db4000-b7db5000 r--p 00000000 08:05 33683 /usr/lib/locale/es_ES.utf8/LC_MESSAGES/SYS_LC_MESSAGES
b7db5000-b7db6000 r--p 00000000 08:05 33836 /usr/lib/locale/es_ES.utf8/LC_PAPER
b7db6000-b7db8000 rw-p b7db6000 00:00 0
b7db8000-b7efc000 r-xp 00000000 08:05 456345 /lib/tls/i686/cmov/libc-2.6.1.so
b7efc000-b7efd000 r--p 00143000 08:05 456345 /lib/tls/i686/cmov/libc-2.6.1.so
b7efd000-b7eff000 rw-p 00144000 08:05 456345 /lib/tls/i686/cmov/libc-2.6.1.so
b7eff000-b7f02000 rw-p b7eff000 00:00 0
b7f02000-b7f16000 r-xp 00000000 08:05 456359 /lib/tls/i686/cmov/libpthread-2.6.1.so
b7...

Read more...

Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! Yes, this looks like a heap overflow in axel. Ubuntu since Feisty is not vulnerable (and only results in a crash), due to the built-in glibc protections.

Changed in axel:
importance: Undecided → Low
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in axel:
status: Unknown → Confirmed
Revision history for this message
In , Y Giridhar Appaji Nag (appaji) wrote : Re: Bug#196431: axel crashes on long urls

tags 196431 +patch
thanks

On 07/09/14 15:55 +0530, Y Giridhar Appaji Nag said ...
> Axel currently cannot handle strings of length over 256 (MAX_STRING in
> axel.h) and should exit gracefully. Fix forthcoming.

Attached patch ...

1. Exits if the URL is over MAX_STRING in length
2. Increases MAX_STRING to 1024 from 256 to be more useful :)

Giridhar

--
Y Giridhar Appaji Nag | http://www.appaji.net/

Revision history for this message
In , Y Giridhar Appaji Nag (appaji) wrote : bugs pending upload for axel 1.0b-4

tags 196431 -confirmed
tags 196431 +pending
tags 419679 +pending
tags 448964 -confirmed
tags 448964 +pending
tags 449368 +pending
tags 449507 +pending
thanks

--
Y Giridhar Appaji Nag | http://www.appaji.net/

Bug Watch Updater (bug-watch-updater)
Changed in axel:
status: Confirmed → Fix Committed
Revision history for this message
In , Y Giridhar Appaji Nag (appaji) wrote : Bug#196431: fixed in axel 1.0b-7
Download full text (3.8 KiB)

Source: axel
Source-Version: 1.0b-7

We believe that the bug you reported is fixed in the latest version of
axel, which is due to be installed in the Debian FTP archive:

axel-kapt_1.0b-7_all.deb
  to pool/main/a/axel/axel-kapt_1.0b-7_all.deb
axel_1.0b-7.diff.gz
  to pool/main/a/axel/axel_1.0b-7.diff.gz
axel_1.0b-7.dsc
  to pool/main/a/axel/axel_1.0b-7.dsc
axel_1.0b-7_i386.deb
  to pool/main/a/axel/axel_1.0b-7_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Y Giridhar Appaji Nag <email address hidden> (supplier of updated axel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 26 Dec 2007 11:19:32 +0530
Source: axel
Binary: axel-kapt axel
Architecture: source i386 all
Version: 1.0b-7
Distribution: unstable
Urgency: low
Maintainer: Y Giridhar Appaji Nag <email address hidden>
Changed-By: Y Giridhar Appaji Nag <email address hidden>
Description:
 axel - A light download accelerator - Console version
 axel-kapt - A light download accelerator - Console version front-end
Closes: 196431 359368 419679 448964 449368 449507 454233
Changes:
 axel (1.0b-7) unstable; urgency=low
 .
   * Remove unnecessary debian/*.dirs files.
   * Patch 09_potrans: Updates de.po, thanks Hermann J. Beckers
     <email address hidden>
   * Patch 10_manpage: fix lintian I: hyphen-used-as-minus-sign
   * /usr/doc transition is too old, removed maint scripts
 .
 axel (1.0b-6) unstable; urgency=low
 .
   * Update 08_axelkapt to use simple pop-ups for the Help and Bug Report
     buttons.
   * Use && instead of -a for tests in maint scripts. Fixes lintian
     informational message I:possible-non-posix-code-in-maintainer-script
   * Remove empty maint script axel-kapt.postrm, thanks Mario Iseli.
 .
 axel (1.0b-5) unstable; urgency=low
 .
   * Use debhelper for packaging (Closes: #454233)
   * Bump up Standards-Version to 3.7.3, no changes
   * Patch 06_buildopts: patch configure script to conform to Policy (10.1
     Binaries)
   * Patch 07_desktop: axel-kapt desktop file passes desktop-file-validate.
     Cleanup in 1.0b-4 made a dpatch
   * Patch 08_axelkapt: Use x-terminal-emulator instead of hardcoding the
     terminal program
   * Use Vcs-*:, move Homepage: from Description: to its own line
 .
 axel (1.0b-4) unstable; urgency=low
 .
   * Acknowledge /usr/doc transition NMU (closes: #359368)
   * Patch 03_longurl: increase max URL length, Don't crash on long URLs
     (closes: #196431).
   * Patch 04_ftpcwd: Prevent crash if FTP CWD fails (closes: #449368)
   * Patch 05_strncpy: Use strncpy instead of strcpy for length sensitive
     copies (closes: #449507).
   * Remove backup (~) files (closes: #448964)
   * Adopted by Y Giridhar Appaji Nag <email address hidden> (clos...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in axel:
status: Fix Committed → Fix Released
Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

This is fixed in 1.0b-7, but hardy still has 1.0b-3.

Revision history for this message
In , Debbugs Internal Request (owner-bugs) wrote : Internal Control

# A New Hope
# A log time ago, in a galaxy far, far away
# something happened.
#
# Magically this resulted in the following
# action being taken, but this fake control
# message doesn't tell you why it happened
#
# The action:
# Bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator

Revision history for this message
Wouter Stomp (wouterstomp-deactivatedaccount) wrote :

Fixed in intrepid.

Changed in axel:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.